US employee 'outsourced job to China'

A security check on a US company has reportedly revealed one of its staff was outsourcing his work to China.

The software developer, in his 40s, is thought to have spent his workdays surfing the web, watching cat videos on YouTube and browsing Reddit and eBay.

He reportedly paid just a fifth of his six-figure salary to a company based in Shenyang to do his job.

Operator Verizon says the scam came to light after the US firm asked it for an audit, suspecting a security breach.

According to Andrew Valentine, of Verizon, the infrastructure company requested the operator's risk team last year to investigate some anomalous activity on its virtual private network (VPN) logs.

"This organisation had been slowly moving toward a more telecommuting oriented workforce, and they had therefore started to allow their developers to work from home on certain days. In order to accomplish this, they'd set up a fairly standard VPN concentrator approximately two years prior to our receiving their call," he was quoted as saying on an internet security website.

The company had discovered the existence of an open and active VPN connection from Shenyang to the employee's workstation that went back months, Mr Valentine said.

And it had then called on Verizon to look into what it had suspected had been malware used to route confidential information from the company to China.

"Central to the investigation was the employee himself, the person whose credentials had been used to initiate and maintain a VPN connection from China," said Mr Valentine.

Further investigation of the employee's computer had revealed hundreds of PDF documents of invoices from the Shenyang contractor, he added.

The employee, an "inoffensive and quiet" but talented man versed in several programming languages, "spent less than one fifth of his six-figure salary for a Chinese firm to do his job for him", Mr Valentine said.

"Authentication was no problem. He physically FedExed his RSA [security] token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average nine-to-five work day," he added.

"Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about $50,000 (£31,270) annually."